Skip to main content

Keygraph Shannon CVE-2026-29023

MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-03-09 disclosure@vulncheck.com
6.9
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 01, 2026 - 15:37 NVD
HIGH MEDIUM
CVSS changed
May 01, 2026 - 15:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Mar 09, 2026 - 18:16 nvd
HIGH 7.3

DescriptionCVE.org

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.

AnalysisAI

Keygraph Shannon's router component exposes a hard-coded API key that allows unauthenticated network attackers to intercept and proxy requests through the application when the router is enabled and accessible. Attackers can leverage this static credential to abuse upstream provider API resources and potentially access sensitive request/response data belonging to legitimate users. No patch is currently available for this vulnerability.

Technical ContextAI

Classified as CWE-798 (Use of Hard-coded Credentials). Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploita

Affected ProductsAI

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network atta

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-29023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy